 Home --> Cisco Tips --> IPv6 Firewalls (NAT-like protection) Kenny Taylor, CCNA IPv6 adoption crawls forward, and is beginning to gain momentum. It is fairly simple and free to set up an IPv6 tunnel into your local area network through providers such as SixXS and Hurricane Electric. The biggest concern over IPv6 adoption is security. When you route your first IPv6 subnet, you are completely exposing every IPv6-enabled device on your network. (just as if you dropped them on a public IPv4 class C block from your provider) That's a scary notion for any administrator. Fortunately Cisco has a solution that provides NAT-like security for your new IPv6 network. We will use IPv6 reflexive access lists to accomplish this. Basically, all incoming traffic is denied by default. When an connection is initiated from a LAN device to the internet, the router makes note of this and adds an incoming access list rule for the return traffic. These incoming rules will age out after a period of inactivity. This is the same functionality as a NAT firewall. Here's a basic configuration, assuming that you're using an IPv6-to-IPv4 tunnel. The lines in red pertain to the IPv6 access lists: interface
tunnel1 You can easily build on the incoming access list. I like to allow any incoming ICMP (ping) messages. I also have a web server on my LAN at 2001:1938:217:0:20c:29ff:fe83:91dd. We can change the incoming access list as follows: ipv6
access-list ipv6-in By default, any traffic not matched to the access list gets dropped. So this actually gives you a more granular level of control than IPv4 NAT port address translation did. Likewise, you can modify the outgoing access list to restrict what content your LAN users can access. Let's say you want to restrict their access to only http (tcp ports 80 and 443) and telnet (tcp 23). You can modify the outgoing access list to look like this:
ipv6 access-list ipv6-out (by default, all packets not matching the criteria will be dropped)
|